Perceptive Security
SOC/SIEM Consultancy
Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace
Published:
4 December 2025 at 12:00:00
Alert date:
5 December 2025 at 08:03:23
Source:
cisa.gov
Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace versions 2025.1.2 and prior contain a Direct Request ('Forced Browsing') vulnerability (CVE-2025-26381) with CVSS v3.1 score of 9.3. The vulnerability allows attackers to gain unauthorized access to sensitive information through remote exploitation with low attack complexity. Affects critical infrastructure sectors including commercial facilities, manufacturing, energy, government services, and transportation systems worldwide. Mitigation requires upgrading to patch level 2025.1.3 or disabling the mobile application in Microsoft IIS.
Technical details
Mitigation steps:
Affected products:
Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace
Related links:
https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-03
https://github.com/cisagov/CSAF
https://cwe.mitre.org/data/definitions/425.html
https://www.cve.org/CVERecord?id=CVE-2025-26381
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:U
https://www.johnsoncontrols.com/cyber-solutions/security-advisories
https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.cisa.gov/topics/industrial-control-systems
https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf
https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.